ca siteminder federation runbook for microsoft office 365 · ca siteminder federation runbook for...
TRANSCRIPT
CA SiteMinder Federation Runbook for
Microsoft Office 365
Legal Notice 2
Legal Notice
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinaf-
ter referred to as the “Documentation”) is for your informational purposes only and is subject to change or with-
drawal by CA at any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in
part, without the prior written consent of CA. This Documentation is confidential and proprietary information of
CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate
agreement between you and CA governing your use of the CA software to which the Documentation relates; or
(ii) a separate confidentiality agreement between you and CA.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documen-
tation, you may print or otherwise make available a reasonable number of copies of the Documentation for inter-
nal use by you and your employees in connection with that software, provided that all CA copyright notices and
legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which
the applicable license for such software remains in full force and effect. Should the license terminate for any rea-
son, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have
been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS”
WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT
WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT,
FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY AD-
VISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agree-
ment and such license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to
the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section
252.227-7014(b)(3), as applicable, or their successors.
Copyright © 2012 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced
herein belong to their respective companies.
Legal Notice 3
Support
This document is produced by FuGen Solutions Inc.(www.fugensolutions.com) who can be reached at
[email protected], on behalf of CA Technologies Inc.(www.ca.com)
Contact CA Technologies Contact CA Support
For your convenience, CA Technologies provides one site where you can access the information that
you need for your Home Office, Small Business, and Enterprise CA Technologies products. At
http://ca.com/support, you can access the following resources:
Online and telephone contact information for technical assistance and customer services
Information about user communities and forums
Product and documentation downloads
CA Support policies and guidelines
Other helpful resources appropriate for your product
Providing Feedback About Product Documentation
If you have comments or questions about CA Technologies product documentation, you can send a
message to [email protected] or [email protected]
Contents 4
Contents
Legal Notice .................................................................................................................... 2
Contents .......................................................................................................................... 4
Chapter 1: SaaS Partner Introduction .......................................................................... 6
Overview ..................................................................................................................... 6
Partnership Process .................................................................................................... 6
Prerequisites.......................................................................................................... 6
Manual Directory Synchronization Example .......................................................... 8
Target Microsoft Office 365 Services ..................................................................... 9
Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider ............................ 10
Configure Identity Provider and Service Provider Entities ......................................... 10
Local Entity Creation ........................................................................................... 10
Remote Entity Creation ........................................................................................11
Configure Federation Partnership between CA – SiteMinder (IDP) & Microsoft Office 365 (RP) ..................................................................................................................... 12
Configure Partnership .......................................................................................... 12
Federation Users ................................................................................................. 13
Assertion Configuration ....................................................................................... 14
SSO and SLO ...................................................................................................... 15
Configure Signature and Encryption .................................................................... 15
Partnership Activation .......................................................................................... 16
Chapter 3: Configure Service Provider ...................................................................... 17
Configure Microsoft Office365 ................................................................................... 17
Directory Synchronization (Synchronize On-Premise AD users to Office 365 Cloud) 17
Activate Synchronized User:................................................................................ 21
Configure partnership in Windows Active Directory for Windows Power Shell .... 23
User Role Assigning ............................................................................................ 25
Chapter 4: Federation Testing & Target Services ...................................................... 26
Federation Testing .................................................................................................... 26
Identity Provider Initiated Testing ......................................................................... 26
Service Provider Initiated Testing ........................................................................ 27
Contents 5
Single Logout....................................................................................................... 28
Federation testing for Active Profile .......................................................................... 29
Microsoft Lync 2013: ............................................................................................ 29
Microsoft Outlook 2013 ........................................................................................ 31
Chapter 5: Exception Handling ................................................................................... 36
Exception Cases ....................................................................................................... 36
When the SiteMinder Partnership is Inactive ....................................................... 36
When Service Provider Entity ID was misconfigured on the SiteMinder Side ...... 36
When Identity Provider Entity ID was misconfigured on the SiteMinder Side ...... 37
When Service Provider Security Token Consumer Service URL was misconfigured on the SiteMinder Side ........................................................................................ 37
Audience Field was misconfigured on the SiteMinder Side ................................. 38
Name ID Format values was misconfigured on the SiteMinder Side ................... 38
User who is not in the Microsoft Office 365 trying to login through SiteMinder .... 38
SiteMinder User who doesn’t have desired attributes in the user store ............... 39
Chapter 6: Summary .................................................................................................... 40
Chapter 1: SaaS Partner Introduction 6
Chapter 1: SaaS Partner Introduction
This section contains the following topics: Overview
Partnership Process
Prerequisites
Manual Directory Synchronization Example
Target Microsoft Office 365 Services
Overview
The scope of the document is to provide the necessary steps to configure the federation part-
nership to achieve SSO (Single-Sign-On) between CA SiteMinder 12.52, acting as the WS-Fed
Identity Provider (IDP), and Microsoft Office 365 acting as the WS-Fed Resource Partner (RP).
Partnership Process
The partnership creation for each partner involves the following steps:
1. Installing and configuring the prerequisites
2. Configuring SiteMinder as an Identity Provider
3. Configuring the Service Provider
4. Testing the Federated SSO
Prerequisites
Prerequisites for CA SiteMinder and CA Secure Proxy Server
Installation of CA SiteMinder 12.52 Suite
Creation of Signed Certificate by a well-known Certificate Authority such as VeriSign, En-trust, Thawte or Go Daddy for Identity Provider Digital Signature.
Important! - The Federation Partnership Authentication URL must be protected by Site-Minder with persistent sessions enabled.
Chapter 1: SaaS Partner Introduction 7
Identity Provider Authentication URL is protected by creating following objects:
o Authentication Scheme
o Domain
o Realm
o Rule & Policy
Notes: Protecting the Authentication URL ensures that a user requesting a protected federated
resource is presented with an authentication challenge if they do not have a SiteMinder session
at the Identity Provider.
Installation of CA SiteMinder Secure Proxy Server 12.52
Protect CA Secure Proxy Server Admin UI
Navigate to the Agent which registered during CA Secure Proxy Server Configuration. It should be in the following format [DOMAIN-SPSADMINUI-{agentname}]. e.g. DOMAIN-SPSADMINUI-caspsagent.) Add User Directory and Policy to this domain.
Log into CA Secure Proxy Server and create Security Token Service (STS) with CA Site-Minder Partnership Name (e.g. SamplePartnership-Office365)
Place the SSL public cert and SSL private key in SPS and enable SSL on CA SiteMinder SPS
Review STS logs to make sure STS is functional at secure-proxy_install_dir/proxy-engine/logs/partnership_name.log. Message stating STS initialization is complete indicates that STS is running. Or Type following URL https://{sps-domainName}/{CA-SiteMinder-PartnershipName}/ws-username and following message confirms STS is functional
Test Secure Proxy Server – After restarting the CA Secure Proxy Server, type the following URL in the browser and verify if CA Secure Proxy Server is working as ex-pected.https://{sps-domainName}/affwebservices/assertionretriever
Chapter 1: SaaS Partner Introduction 8
The STS must have internet access.
Pre-Requisites for Microsoft Office 365 Single Sign-On
Microsoft Office 365 – Enterprise Account
DNS information to register a domain with your DNS provider.
Registered Domain and Active Directory domain must be the same in order to synchronize the Active Directory users to Office 365.
Install the Windows Azure Active Directory Module described here: http://aka.ms/aadposh which requires the Online Services Sign-In Assistant: http://go.microsoft.com/fwlink/?LinkId=286152
Download Office 365 desktop client Application.
User synchronization between your user store and Office 365. Password synchronization is not required. The following synchronization methods are supported:
Manual synchronization: Use Windows Azure AD Module for Windows PowerShell. This
method is adequate for testing SSO.
Microsoft Directory Sync tool: Microsoft provides a tool for synchronizing Active Directo-ry with Office 365. This method is adequate when user accounts are stored in a single Active Directory domain.
CA Identity Minder connector for Office 365: CA provides an Identity Minder connector
for Office 365 for user synchronization. This method works well when user accounts are stored in Active Directory, CA Directory, LDAP, or RDBMS.
Manual Directory Synchronization Example
This example demonstrates copying an Active Directory user to Office 365.
Open the Windows Azure Active Directory Module for Windows PowerShell and run the following
commands. Provide your own values for upn and location.
Syntax:
$User = Get-ADUser -f {userPrincipalName -eq "[upn]"}
$ImmutableID = [System.Convert]::ToBase64String($User.objectguid.ToByteArray())
Chapter 1: SaaS Partner Introduction 9
New-MsolUser -UserPrincipalName $User.userPrincipalName -immutableID $ImmutableID -LastName $User.surname -FirstName $User.givenName -DisplayName $Us-er.displayName -UsageLocation [location]
upn Login name of the user.
For example: [email protected]
location Two letter country code of the user. For example "US"
.
Target Microsoft Office 365 Services
The following services of Microsoft Office 365 have been tested for federation using CA Site-
Minder 12.52 as Identity Provider.
Outlook
Lync
Sky Drive
SharePoint Online
Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider
10
Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider
This section contains the following topics:
Configure Identity Provider and Service Provider Entities
Configure Federation Partnership between CA – SiteMinder (IDP) & Microsoft Office 365 (RP)
Configure Identity Provider and Service Provider Entities
To create Entities, Login to CA SiteMinder and navigate to Federation Partnership Federation
Entity Create Entity
Local Entity Creation
Configure Local Identity Provider Entity with following details:
o Entity Location – Local
o Entity Type – WSFED Identity Provider
o SAML Token Type – SAML 1.1
o Entity ID – Any (e.g. https://ca-technologies.fugen.com)
o Entity Name – Any (e.g. SampleEntity-WSFed-SAML1.1)
o Base URL – https://<FWS_FQDN> where FWS_FQDN is the fully-qualified domain
name for the host serving SiteMinder Federation Web Services (e.g. ca-
technologies.fugen.com)
o Disambiguation ID – Unique identifier for the partnership (e.g. samlsso)
o Signing Private Key Alias – Select the correct private key alias or import one (e.g.
catech)
o Supported Name ID format – Unspecified
Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider
11
o Click “Finish”.
Remote Entity Creation
Remote Entity can be created either through metadata import or manually. To configure
Remote SP Entity manually, select Create Entity
Create Microsoft Office 365 Remote Entity with following details
o Entity Location – Remote
Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider
12
o New Entity Type – WSFED Resource Provider
o SAML Token Type – SAML 1.1
o Entity ID – urn:federation:MicrosoftOnline
o Entity Name – Any (e.g. MicrosoftOffice365)
o Description – Any (e.g. WSFED RP for Office 365)
o Remote Security Token Consumer Service URL - https://login.microsoftonline.com
o Remote Sign-Out URL – https://login.microsoftonline.com
o Supported Name ID Formats – Unspecified
o Click “Finish”
Configure Federation Partnership between CA – SiteMinder (IDP) & Microsoft Office 365 (RP)
Login to CA SiteMinder and navigate to Federation Partnership Federation Create Partnership
Select WSFED IP RP
Configure Partnership
Add Partnership Name – Any (e.g. SamplePartnership-Office365)
Local IDP ID – Select Local IDP ID (e.g. https://ca-technologies.fugen.com)
Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider
13
Remote SP ID – Select Remote SP ID(urn:federation:MicrosoftOnline)
Base URL – Will be pre-populated
Skew Time – Any per environment requirement(e.g. 30)
Enable Metadata Exchange – Select the check box.
STS for WSFED Active Profile – Select the check box.
Select the user store (e.g. smuserstore) from the “Available Directories”
Note: Make sure this partnership name is same as the value given in CA Secure Proxy Server STS
Federation Users
Configure Federation Users – Accept default values
Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider
14
Assertion Configuration
Name ID Format:
Name ID Format – Unspecified
Name ID Type – User Attribute
Value – EmailAddress (LDAP Attribute name which contains Immutable ID)
Assertion Attributes:
Assertion Attribute – UPN
Namespace – http://schemas.xmlsoap.org/claims
Type – User Attribute
Value – name (LDAP Attribute name which contains UPN - name)
Assertion Attributes:
Assertion Attribute – ImmutableID
Namespace – http://schemas.microsoft.com/LiveID/Federation/2008/05
Type – User Attribute
Value – emailAddress (LDAP Attribute name which contains Immutable ID)
Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider
15
SSO and SLO
Authentication URL – URL that is protected by SiteMinder as mentioned in pre-requisites
(e.g.: http://ca-technologies.fugen.com/affwebservices/redirect.jsp)
SSO Binding – Select SSO Binding supported by the Service Provider – HTTP-Post
Audience – urn:federation:MicrosoftOnline
Security Token Consumer Service URL – https://login.microsoftonline.com
Enable Sign-Out - checked
Add Sign-out Confirmation URL –
https://login.microsoftonline.com/login.srf?wa=wsignoutcleanup1.0
Add Sign-out URL – URL of the wsfeddispatcher service e.g. https://ca-
technologies.fugen.com/affwebservices/public/wsfeddispatcher/msol-ca-
technologies.fugen.com
Configure Signature and Encryption
Signing Private Key Alias – Verify correct Private Key Alias is selected
Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider
16
On confirmation screen make sure STS information are displayed correctly. Confirm remain-
ing values and finish Partnership.
Partnership Activation
Activate the created Partnership.
Chapter 3: Configure Service Provider 17
Chapter 3: Configure Service Provider
This section contains the following topics:
Directory Synchronization (Synchronize On-Premise AD users to Office 365 Cloud)
Activate Synchronized User:
Configure partnership in Windows Active Directory for Windows Power Shell
Configure Microsoft Office365
Directory Synchronization (Synchronize On-Premise AD users to Office 365 Cloud)
Activate Directory Synchronization:
Activate directory synchronization to use your on-premises Activate Directory to add users to
Microsoft Office 365. Steps to follow to activate directory synchronization:
Login to Microsoft portal online using the enterprise admin account.
Click “Users and Group” and Click “Activate”
Click on “Activate” in Step 3 and click “Download” to download the Directory Sync Tool.
Chapter 3: Configure Service Provider 18
Click on “Activate”.
Once it has been activated, following message will be shown.
Chapter 3: Configure Service Provider 19
Configure Directory Synchronization:
Note: Do not run this tool using the Admin account of Active Directory Domain Controller; use
any other user account to run this tool. Admin credentials are required, however.
Open Directory Sync tool and click “Next”.
Provide Microsoft Office 365 login credentials and click “Next”.
Chapter 3: Configure Service Provider 20
Provide Active Directory Credentials and click “Next”.
Click on “Next” Next Next and Finish on upcoming screens
Chapter 3: Configure Service Provider 21
Activate Synchronized User:
Assign Licenses and Active Synchronized Users:
To activate synchronized users from Active Directory, select the user and click “ ” icon
Select services for the particular user and click “Next”.
Note: User will be able to login only to the selected services.
Chapter 3: Configure Service Provider 22
Provide the email address in order to send credentials via email and click “Activate”.
Click on “Finish”.
Chapter 3: Configure Service Provider 23
Configure partnership in Windows Active Directory for Windows Power Shell
Launch Windows Azure Active Directory Module for Windows PowerShell as an Adminis-
trator.
Connect to Office 365 as a Microsoft Office 365 Administrator:
Type the following command in Microsoft PowerShell
Connect-MsolService
Change the Domain Authentication method to “Federated”
Note: Line breaks are only shown here for formatting and readability purposes
Set-MsolDomainAuthentication
-Authentication Federated
-DomainName <domain name>
-FederationBrandName <any name>
-IssuerUri <Identity provider URI>
-LogOffUri <Identity provider Logoff URI>
Chapter 3: Configure Service Provider 24
-PassiveLogOnUri <Identity provider Passive logon URI>
-SigningCertificate <IP Signing certificate>
e.g.
Set-MsolDomainAuthentication
-Authentication Federated
-DomainName ca-technologies.fugen.com
-FederationBrandName ca-technologies.fugen.com
-IssuerUri https://ca-technologies.fugen.com
-LogOffUri https://ca-technologies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso
-PassiveLogOnUri https://ca-technologies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso
-SigningCertificate "MIIEmDCCAoCgAw…..5WifUBkgA=="
Note: If you are updating values after the authentication method is set to Federated then you must
use the command Set-MsolDomainFederationSettings
Set-MsolDomainFederationSettings
-DomainName<domain name>
-FederationBrandName<any name>
-PreferredAuthenticationProtocol WsFed
-IssuerUri <Identity provider URI>
-LogOffUri <Identity provider Logoff URI>
-ActiveLogOnUri<Identity Provider Active LogOnURI>
-PassiveLogOnUri <Identity provider Passive logon URI>
-SigningCertificate <IP Signing certificate>
e.g.
Set-MsolDomainFederationSettings
-DomainName ca-technologies.fugen.com
-FederationBrandName ca-technologies.fugen.com
-IssuerUri https://ca-technologies.fugen.com
-LogOffUri https://ca-technologies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso
-ActiveLogOnUri https://ca-technologies.fugen.com/SamplePartnership-Office365/ws-username
-PassiveLogOnUri https://ca-technologies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso
-PreferredAuthenticationProtocol WsFed
Chapter 3: Configure Service Provider 25
-SigningCertificate "MIIEmDCCAoCgAw…..5WifUBkgA=="
User Role Assigning
Get to Users and Groups Tab and select the user to be tested (e.g. iduser)
Select all applications as shown below:
Chapter 4: Federation Testing & Target Services 26
Chapter 4: Federation Testing & Target Servic-es
This section contains the following topics:
Federation Testing
Federation testing for Active Profile
Federation Testing
Microsoft Office 365 supports both Service Provider and Identity Provider initiated login. This
version of Microsoft Office 365 does not support Mobile Application login via federated Single
Sign-On.
Identity Provider Initiated Testing
Access URL - https://ca-technolo-gies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline
Enter the credentials and click login
User will be landing at the Microsoft Office 365 home page
Chapter 4: Federation Testing & Target Services 27
Service Provider Initiated Testing
Access URL – portal.microsoftonline.com
This will automatically direct the user to the login page of Identity Provider (SiteMinder).
Enter the credentials and click login
Chapter 4: Federation Testing & Target Services 28
User will be landing at the Microsoft Office 365 home page
Single Logout
Navigate to Admin and select Sign out
Chapter 4: Federation Testing & Target Services 29
After Logout redirected to Login Screen as configured in SLO step
Federation testing for Active Profile
Microsoft Lync 2013:
Download Lync 2013 app
Login to Microsoft Lync 2013 with Active Directory login credentials.
Chapter 4: Federation Testing & Target Services 30
Provide Active Directory login password.
After Successful login, user can login into Lync 2013 application using Active Logon.
Chapter 4: Federation Testing & Target Services 31
Microsoft Outlook 2013
Configure Microsoft Outlook 2013–Navigate to File Data File Management
Click “New”
Choose “Microsoft Exchange,POP3, IMAP, or HTTP” and Click “Next”
Chapter 4: Federation Testing & Target Services 32
Select “Manually Configure server settings or additional server types” and Click “Next”
Select “Internet E-mail” and click on “Next”
Provide E-mail Settings
o Email-Address – Provider email Address of the user
o Account Type – Select “POP3”
o Incoming mail server – outlook.office365.com
o Outgoing mail server(SMTP) – smtp.office365.com
o Username – Provide emailAddress of the user
o Password – Provide user password
Click “More Settings”
Chapter 4: Federation Testing & Target Services 33
Click “Advanced” tab.
o Under Server Port Numbers, do the following changes
o Incoming Server(POP3) – 995
o Check “This server requires an encrypted connection(SSL)”
o Outgoing server(SMTP) – 587
o Use the following type of encrypted connection – Select “TLS”
Click “Ok”
Chapter 4: Federation Testing & Target Services 34
Click “Outgoing Server” tab and select “My outgoing server (SMTP) requires authentication”
and click “OK”
Click “Next”
Chapter 4: Federation Testing & Target Services 35
Click “Finish”
Once configuration is completed, user should be able to access Outlook emails.
Chapter 5: Exception Handling 36
Chapter 5: Exception Handling
This section contains the following exceptions:
When the SiteMinder Partnership is Inactive
When Service Provider Entity ID was misconfigured on the SiteMinder Side
When Identity Provider Entity ID was misconfigured on the SiteMinder Side
When Service Provider Security Token Consumer Service URL was misconfigured on the Site-Minder Side
Audience Field was misconfigured on the SiteMinder Side
Name ID Format values was misconfigured on the SiteMinder Side
User who is not in the Microsoft Office 365 trying to login through SiteMinder
SiteMinder User who doesn’t have desired attributes in the user store
Exception Cases
When the SiteMinder Partnership is Inactive
When SiteMinder Partnership is Inactive or not Defined, following error appears on browser
When Service Provider Entity ID was misconfigured on the SiteMinder Side
Entity ID used https://ca-technologies.fugen.com/office
Result Fails at the Microsoft Office 365 side and displays the error given below.
Chapter 5: Exception Handling 37
When Identity Provider Entity ID was misconfigured on the SiteMinder Side
Entity ID used urn:federation:MicrosoftOnline/fugen
Result Fails before authentication and displays the error given below.
When Service Provider Security Token Consumer Service URL was misconfigured on the SiteMinder Side
Security Token Consumer Service URL used https://login.microsoftonline.com/fugen
Result Redirects to the specified URL after authentication with a blank page
Chapter 5: Exception Handling 38
Audience Field was misconfigured on the SiteMinder Side
Audience used urn:federation:MicrosoftOnline
Result Authentication at the Microsoft Office 365 fails and displays the error given below.
Name ID Format values was misconfigured on the SiteMinder Side
Name ID Format used X509 Subject Name
Result Works fine without any issue. Change of attributes only matter.
User who is not in the Microsoft Office 365 trying to login through SiteMinder
User ID used demouser1
Result User does not exist in Microsoft Office 365and produce following error
Chapter 5: Exception Handling 39
SiteMinder User who doesn’t have desired attributes in the user store
User ID used feduser1
This user doesn’t have the email id attribute which is the Name ID Format used in the Partner-
ship.
Result After authentication, following error page appears.
Chapter 6: Summary 40
Chapter 6: Summary
Microsoft Office 365 supports both Identity Provider and Service Provider-initiated scenario
Microsoft Office 365 services federation via Browser-SSO is tested
SPS is configured for Microsoft 365.
No backchannel or artifact based profiles are implemented at Microsoft Office 365
The SSO, assertion consumer and target URLs are all https
Microsoft Office 365 Single Logout Service URL is tested
The following services provided by Microsoft Office 365 have been tested for desktop
browser environment
Lync
Outlook
SkyDrive
SharePoint Online